pike.git / lib / modules / SSL.pmod / Connection.pike

version» Context lines:

pike.git/lib/modules/SSL.pmod/Connection.pike:26:   //! @seealso   //! @[ClientConnection], @[ServerConnection], @[Context],   //! @[Session], @[File], @[State]      //#define SSL3_PROFILING      import .Constants;   #define State .State   #define Session .Session   #define Context .Context + #define Buffer .Buffer      #ifdef SSL3_DEBUG   #define SSL3_DEBUG_MSG(X ...) werror(X)   #else /*! SSL3_DEBUG */   #define SSL3_DEBUG_MSG(X ...)   #endif /* SSL3_DEBUG */      Session session;   Context context;   
pike.git/lib/modules/SSL.pmod/Connection.pike:82:      Alert alert(int(1..2) level, int(8bit) description,    string|void message)   {    return context->alert_factory(this, level, description, version,    message);   }      string(8bit) get_signature_algorithms()   { -  Stdio.Buffer sign_algs = Stdio.Buffer(); +  Buffer sign_algs = Buffer();    foreach(context->get_signature_algorithms(), [int hash, int sign])    {    sign_algs->add_int(hash, 1);    sign_algs->add_int(sign, 1);    }    return (string(8bit))sign_algs;   }      #ifdef SSL3_PROFILING   System.Timer timer = System.Timer();
pike.git/lib/modules/SSL.pmod/Connection.pike:140:    Crypto.MD5.hash(handshake_messages)+    Crypto.SHA1.hash(handshake_messages), 12);    } else if(version >= PROTOCOL_TLS_1_2) {    return session->cipher_spec->prf(session->master_secret, sender,    session->cipher_spec->hash->hash(handshake_messages), 12);    }   }      Packet certificate_packet(array(string(8bit)) certificates)   { -  ADT.struct struct = ADT.struct(); +  Buffer struct = Buffer();    struct->put_var_string_array(certificates, 3, 3);    return handshake_packet(HANDSHAKE_certificate, struct->pop_data());   }      Packet heartbeat_packet(string(8bit) s)   {    Packet packet = Packet(version);    packet->content_type = PACKET_heartbeat;    packet->fragment = s;    return packet;
pike.git/lib/modules/SSL.pmod/Connection.pike:183:    // by crafting a heartbeat packet with insufficient (0) padding.    //    // If we get a response, the peer doesn't validate the message sizes    // properly, and probably suffers from the Heartbleed vulnerability.    //    // Note that we don't use negative padding (as per the actual attack),    // to avoid actually stealing information from the peer.    //    // Note that we detect the packet on return by it having all zeros    // in the second field. -  Stdio.Buffer hb_msg = Stdio.Buffer(); +  Buffer hb_msg = Buffer();    hb_msg->add_int(HEARTBEAT_MESSAGE_request, 1);    hb_msg->add_int(16, 2);    int now = gethrtime();    hb_msg->add(heartbeat_encode->crypt(sprintf("%8c%8c", now, 0)));    // No padding.    return heartbeat_packet((string(8bit))hb_msg);   }      // verify that a certificate chain is acceptable   //
pike.git/lib/modules/SSL.pmod/Connection.pike:613:   }      void send_heartbeat()   {    if ((state != CONNECTION_ready) ||    (session->heartbeat_mode != HEARTBEAT_MODE_peer_allowed_to_send)) {    // We're not allowed to send heartbeats.    return;    }    -  Stdio.Buffer hb_msg = Stdio.Buffer(); +  Buffer hb_msg = Buffer();    hb_msg->add_int(HEARTBEAT_MESSAGE_request, 1);    hb_msg->add_int(16, 2);    int now = gethrtime();    hb_msg->add(heartbeat_encode->crypt(sprintf("%8c%8c", now, now)));    // We pad to an even 64 bytes.    hb_msg->add(random_string(64 - sizeof(hb_msg)));    send_packet(heartbeat_packet((string(8bit))hb_msg));   }      void handle_heartbeat(string(8bit) s)   {    if (sizeof(s) < 19) return; // Minimum size for valid heartbeats. -  Stdio.Buffer hb_msg = Stdio.Buffer(s); +  Buffer hb_msg = Buffer(s);    int hb_type = hb_msg->read_int(1);    int hb_len = hb_msg->read_int(2);       SSL3_DEBUG_MSG("SSL.Connection: Heartbeat %s (%d bytes)",    fmt_constant(hb_type, "HEARTBEAT_MESSAGE"), hb_len);       string(8bit) payload;    int pad_len = 16;       // RFC 6520 4:
pike.git/lib/modules/SSL.pmod/Connection.pike:663:    }       switch(hb_type) {    case HEARTBEAT_MESSAGE_request:    // RFC 6520 4:    // When a HeartbeatRequest message is received and sending a    // HeartbeatResponse is not prohibited as described elsewhere in    // this document, the receiver MUST send a corresponding    // HeartbeatResponse message carrying an exact copy of the payload    // of the received HeartbeatRequest. -  hb_msg = Stdio.Buffer(); +  hb_msg = Buffer();    hb_msg->add_int(HEARTBEAT_MESSAGE_response, 1);    hb_msg->add_int(hb_len, 2);    hb_msg->add(payload);    hb_msg->add(random_string(pad_len));    send_packet(heartbeat_packet((string(8bit))hb_msg));    break;    case HEARTBEAT_MESSAGE_response:    // RFC 6520 4:    // If a received HeartbeatResponse message does not contain the    // expected payload, the message MUST be discarded silently.    if ((sizeof(payload) == 16) && heartbeat_decode) { -  hb_msg = Stdio.Buffer(heartbeat_decode->crypt(payload)); +  hb_msg = Buffer(heartbeat_decode->crypt(payload));    int a = hb_msg->read_int(8);    int b = hb_msg->read_int(8);    if (a != b) {    if (!b) {    // Heartbleed probe response.    send_packet(alert(ALERT_fatal, ALERT_insufficient_security,    "Peer suffers from a bleeding heart.\n"));    }    break;    }
pike.git/lib/modules/SSL.pmod/Connection.pike:871:    sscanf(handshake_buffer, "%*c%3c", len);    if (sizeof(handshake_buffer) < (len + 4))    break;    mixed exception = catch {    err = handle_handshake(handshake_buffer[0],    handshake_buffer[4..len + 3],    handshake_buffer[.. len + 3]);    };    if( exception )    { -  if( objectp(exception) && ([object]exception)->ADT_struct ) +  if( objectp(exception) && ([object]exception)->buffer_error )    {    Error.Generic e = [object(Error.Generic)]exception;    send_packet(alert(ALERT_fatal, ALERT_decode_error,    e->message()));    return -1;    }    throw(exception);    }    handshake_buffer = handshake_buffer[len + 4..];    if (err < 0)
pike.git/lib/modules/SSL.pmod/Connection.pike:926:    send_packet(alert(ALERT_warning, ALERT_unexpected_message,    "Heart beat mode not enabled.\n"));    break;    }       mixed exception = catch {    handle_heartbeat(packet->fragment);    };    if( exception )    { -  if( objectp(exception) && ([object]exception)->ADT_struct ) +  if( objectp(exception) && ([object]exception)->buffer_error )    {    Error.Generic e = [object(Error.Generic)]exception;    send_packet(alert(ALERT_fatal, ALERT_decode_error,    e->message()));    return -1;    }    throw(exception);    }       }